Technical Field
This disclosure relates generally to information security on network-connected appliances.
Background of the Related Art
Security threats are continually evolving. With the rapid growth of cutting-edge web applications and increased file sharing, activities that may have been considered harmless in the past could become potential openings for attackers. Traditional security means, such as anti-malware software and firewalls, have become easier to bypass. Thus, there is a significant need for more advanced, proactive threat protection that can help provide comprehensive security against new and emerging threats.
Network-connected, non-display devices (“appliances) are ubiquitous in many computing environments. For example, appliances built purposely for performing traditional middleware service oriented architecture (SOA) functions are prevalent across certain computer environments. SOA middleware appliances may simplify, help secure or accelerate XML and Web services deployments while extending an existing SOA infrastructure across an enterprise. The utilization of middleware-purposed hardware and a lightweight middleware stack can address the performance burden experienced by conventional software solutions. In addition, the appliance form-factor provides a secure, consumable packaging for implementing middleware SOA functions. One particular advantage that these types of devices provide is to offload processing from back-end systems. To this end, it is well known to use such middleware devices to perform computationally expensive processes related to network security. For example, network intrusion prevention system (IPS) appliances are designed to sit at the entry points to an enterprise network to protect business-critical assets, such as internal networks, servers, endpoints and applications, from malicious threats. Such devices can provide inline content inspection and modification for various purposes, such as to neutralize or eliminate from network traffic malicious, offensive or otherwise objectionable content, decrypt encrypted (SSL/TLS) network traffic to perform security inspection, inject content (e.g., advertisements, and security notifications), and the like.
Traditional network content and inspection and modification has been performed using network proxies, which often suffer from poor performance and lack of scalability, and that require either client reconfiguration or deployment of a transparent gateway device. Performance in such devices is impacted negatively by the proxy's requirements for data copying, buffering, context switching, and connection termination and re-origination. The lack of scalability is a consequence of the proxy's connection termination and re-origination, as well as its dependency on often-limited operating system resources such as network buffer, file descriptors, socket handles, and TCP ports. TCP session handling in such devices requires full implementation of the TCP/IP stack, including TCP timers. Terminating network proxies typically also require manual configuration, which increases deployment and maintenance costs, as a connection proxy requires two separate IP addresses. Depending on where the device must be deployed, the cost may be significant. Such devices also are not easily provisioned into cloud-based deployments.